Short Name |
DB:ORACLE:DECLARE-EXEC |
---|---|
Severity |
Minor |
Recommended |
No |
Recommended Action |
Drop |
Category |
DB |
Keywords |
TNS Declare/Exec SQL Injection |
Release Date |
2009/02/26 |
Update Number |
1382 |
Supported Platforms |
idp-4.0+, isg-3.1.134269+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+ |
This signature detects a possible attempt at SQL injection. An attacker can use SQL over TNS to "declare" a variable (varchar) with an exploit encoded inside it. An "exec" command executed on the variable then executes the encoded exploit. These functions have non-malicious application and therefore should only be used between an HTTP server front-end and the Oracle database server back-end, and not between an administrator's management station and the database server or false positives can result.